Mexico Spyware Inquiry Bogs Down. Skeptics Aren’t Surprised.

The spying technology, developed by an Israeli cyber-arms manufacturer, is sold only to governments, and under the explicit condition that it be used only to track terrorists and other criminals.

After it became clear that the technology had been used much more broadly than that, the Mexicans sent a list of questions to American law enforcement officials to show their seriousness about investigating.

But the questions required no more than a basic computer science degree to answer, one American official said. The Mexican government — which operated the surveillance technology itself — was more than capable of solving the case on its own if it wanted to, the official said.

The F.B.I. declined to comment.

There are many potential reasons Mexican officials, if they were serious about investigating, might want American help, even if they did not necessarily need it. The Mexican public is deeply suspicious of its government, so the participation of American law enforcement officials could help build trust in the findings.

But more than six months after the investigation was announced, some of the American concerns appear to be bearing out, according to victims of the spying and their lawyers, who have had access to the case files.

The government inquiry has failed to make headway in many basic areas, they contend. Prosecutors handling the case have yet to question any of the officials responsible for operating the surveillance technology, according to the victims’ lawyers and their review of the case file.

The Mexican government declined to offer specific comments on the investigation but said it remains “in the phase of exhausting different lines of investigation.” It also said that it had been in constant contact with the group of forensic analysts that first discovered the existence of the spyware, the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and that it had sought counsel from other national and international experts.

The Citizen Lab seemed taken aback by the assertion.

“That’s a surprising statement, given that we have had exactly one meeting with them and have received no further follow-up,” said John Scott-Railton, a senior researcher there. He said the Citizen Lab answered the government’s questions at that meeting, in October, and even suggested a list of evidence to preserve for the investigation.

The spying software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.

Photo

Carmen Aristegui speaking at a demonstration after the killing of a Mexican journalist in 2017.Credit Miguel Tovar/LatinContent, via Getty Images

But investigators have not even identified the government employees who operate the technology, or visited the offices where the spying operation was conducted, according to interviews with the victims and their lawyers and the the case files.

Prosecutors have for now also declined to examine the servers used by the officials who operated the spying technology, according to the case files and the lawyers. Those servers, according to cyber-forensic analysts and the Israeli manufacturers of the spyware, would contain a record of every attempted hack on every single target.

“It is highly likely that the political actors who were using this software are now keeping this investigation from making any progress at all,” said Mario Ignacio Álvarez, a former deputy at the nation’s attorney general’s office. “This is still a country where it is better to pray to the Virgin of Guadalupe for justice than to the authorities.”

That is not to say that the case file is empty. It already stands several feet tall, stacked with sheaths of documents. But they are often as pointless as they are copious, lawyers for the victims of the spying contend.

Investigators have included printouts of basic Google searches related to the case, including some of the victims’ Facebook pages. And the bulk of the file is dedicated to the rolling responses from about 2,000 municipalities that were asked by prosecutors if they possessed the software. The requests include townships of fewer than 500 people with annual budgets that are a fraction of the roughly $ 80 million that the Mexican government spent to purchase the surveillance system.

“Once more we have entered into a bureaucratic labyrinth that will take us nowhere,” said Leopoldo Maldonado, a lawyer for a journalist protection group, Article 19, which is representing several victims in the case. “This is not a serious investigation.”

One of the documents contained in the case file, according to those who have reviewed it, is an admission by the nation’s attorney general’s office that it purchased the software. But the prosecutors assigned to solving the case are employed by the attorney general’s office — offering little hope to the spying victims that the agency will vigorously investigate itself.

Photo

Mario Patrón, director of a human rights group, at a news conference last year. Ms. Aristegui is next to him.Credit Eduardo Verdugo/Associated Press

“We knew from the beginning that it would be very hard to have a real investigation, but this is a clear demonstration of the lack of an independent system in Mexico,” said Carmen Aristegui, one of Mexico’s most renowned journalists, who endured dozens of hacking attempts using the Pegasus spyware. “We are the political targets of a government that combats its critics with illegal tools.”

Lawyers for the victims have taken the government to court, hoping to force a more thorough inquiry.

In written responses to the suit, prosecutors say they are waiting for the opportune moment to review the servers and question participants in the hacking program, but have not refused outright to do so.

They also claim that the cutting-edge malware does not allow them to track the targets, according to documents in the case file. “The software has no reporting function that offers a registry of numbers that might have been intercepted,” according to the file.

But this is at odds with the description of the spyware given to The Times last year by its manufacturer, the NSO Group. Officials at the company said the contracts were based on a specific number of spying targets, and that the system installed on site at the government agency tracked every time it was used.

Even critics accustomed to the Kabuki dance of independent investigations in Mexico, where officials publicly promise to root out corruption but do little to punish the culprits, have expressed surprise. To some, the lack of an investigation is almost as worrisome as the spying itself.

“It translates into still feeling vulnerable,” said Luis Fernando García, the director of R3D, a digital rights group representing several victims. “When nothing happens, it emboldens those with this kind of technology to continue using it illegally.”

Prosecutors insist they need the phones of the spying victims to proceed with their investigation.

But forensic experts — as well as victims of the spyware in Panama, where the former president has been charged with illegal espionage — say the target’s phone is unnecessary to conduct an inquiry. The servers, they say, are all that is really required.

Photo

Luis Fernando García, director of a digital rights group, in his office in Mexico City.Credit Adriana Zehbrauskas for The New York Times

“This is the height of cynicism, to transfer blame for the lack of investigation to the victims,” said Mario Patrón, a target of the hacking and the executive director of the Miguel Agustín Pro Juárez Human Rights Center, one of Mexico’s most respected human rights groups.

One of the most glaring omissions in the file, the victims’ lawyers say, is the contract that the Attorney General’s office signed with the software manufacturer. While some of that and other material is secret for reasons of national security, the government says, there are other leads that prosecutors appear to have ignored.

For instance, they have not questioned the individual in charge of the division that used the spyware, Tomás Zerón, a close ally of the president, according to the case files and the lawyers. The office, known as the Criminal Investigation Agency, was run by Mr. Zeron at the time of the hacking.

Mr. Zerón’s name has surfaced in scandals before. He was the chief investigator into the mysterious disappearance of 43 teaching students who clashed with the police in 2014. The case remains unresolved. Mr. Zerón was removed from his post in 2016, after video obtained by international investigators looking into the disappearances showed him handling evidence related to the case that was never logged in any official files, they said.

Mr. Zerón, through an aide, declined to comment.

Independent groups, meanwhile, appear to be making some progress in unearthing details about the purchase of the software.

This month, the group Mexicans Against Corruption and Impunity said it had discovered a link between an individual who was working for the Attorney General’s office and the company that sold the software to the law enforcement agency.

Salvador Camarena, an investigative editor with Mexicans Against Corruption and Impunity, whose team has been looking into the companies associated with the sale, was himself a target of spying. But unlike other victims, he chose not to file a complaint with the government.

“I saw it as a waste of time,” he said. “Why on earth would they want to investigate themselves?”

But in recent weeks, Mr. Camarena decided to file a complaint to review what the government had done.

“It was journalistic curiosity,” he said, “to see what I could find out about who targeted me.”